Sunday, November 1, 2015

Before closing off, the decision was made to take a look at
the ShimCache, ShellBags and Prefetch to see if there was information there
which may contribute to Alyssa’s concerns.

To take a look at the ShimCache the following command was
executed “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose
--kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 shimcache >
shimcache-results.txt”. Next the command “cat shimcache-results.txt” was
executed. While generally things “seemed normal”, two entries which stood out
to me were “MSID117.tmp” which ran from “C:\Windows\Installer” and “setup.exe”
being executed from “C:\windows\TEMP\CR_50612”. According to (productforums.google.com,
n.d.)
this may be related to google update services and may have contributed to the
slowness she experienced. The fact that there are other entries related to
google around the same time, suggests that this may actually be related to
Google products.

Figure 16:Above shows data from shimcache

Peering into the ShellBags to see if anything stands out,
did not produce anything that made me want to look further.

To look at the ShellBags, the following command was used “vol.py
--filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0
--dtb=0x187000 --profile=Win7SP1x64 shellbags >shellbag-result.txt”. Next the command “cat
shellbag-result.txt” was executed.

Finally, like the ShellBags a review of the Prefectch data
did not produce anything which cause me to want to look further. To view the
information in Prefetch, the following command was executed “vol.py
--filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0
--dtb=0x187000 --profile=Win7SP1x64 prefetchparser >
prefetchparser-results.txt”. Next the command “cat prefetchparser-results.txt”
was executed.

At this point it was decided to end this analysis as after
the efforts which has been extended so far, I have been unable to say with any
certainty that this computer is infected.

Conclusion

While initially
Alyssa mentioned the computer was running slow and that she thinks she may be
infected with a virus, from the memory dump I extracted of her machine I was
unable to find any evidence to support her theory from the processes and or
network connections which began my initial investigation. More importantly,
there can be numerous reasons why I was unable to detect any viruses but simply
from the data I examined I was unable to find anything.

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis